Support Center

Using the Active Directory Bridge

If your organization was created after Tuesday, April 11 2017, this article is not applicable.

Operation and Usage


Operation and usage

The JumpCloud AD Bridge mirrors users and their groups to JumpCloud based on the contents of two Security Groups that you'll add to your Active Directory controller (these must go in the standard Users OU):
  1. JumpCloud - users or groups within this group will be mirrored to JumpCloud. In JumpCloud the users will show as having come from Active Directory. Groups are reflected as Tags in JumpCloud. Any groups of which a user is a member (whether those groups are in the JumpCloud group in AD, or not) will be created as Tags in JumpCloud. You can choose to add server access to those tags or not, at your discretion.
  2. JumpCloud Admins - any user in this group (which is also a member of the "JumpCloud" group) will be set to "System Admin/Sudo" access. This allows you to control administrator access to all resources managed by JumpCloud right from your Active Directory console. NOTE: The "JumpCloud Admins" group does not cause any users to be synchronized to JumpCloud, it only enables or disabled sudo/System Administrator access on users who are in the "JumpCloud" group.
The "JumpCloud" security group is required, but the "JumpCloud Admins" group is optional. The JumpCloud AD Bridge keys off those two group names, exactly as they are presented above.

JumpCloud mirrors the following data fields from Active Directory:
  • First and Last Name
  • Email address
  • Username
Changes to those fields will be reflected in JumpCloud within approximately 90 seconds.

Note:  The use of the Active Directory Bridge with Google Apps or Office 365 User Provisioning is mutually exclusive. A pre-existing AD Bridge Agent can be de-activated in order to integrate with Google Apps or Office 365. The same applies in reverse.

Note: The JumpCloud agent is not supported on a domain joined system. 

Changing the Email Address or User Name

If you change the email address of the user in the General tab of the User Properties window, or change the user name in the Accounts tab of the User Properties window, the AD Bridge will delete the original user account and re-add it with the new name. This will require the user to reset their password in Windows again, but they will receive the same access as the original user.

All users sync'd to JumpCloud must have an email address, and there are two locations where JumpCloud looks for email addresses:
  • The first place JumpCloud looks is in the "E-mail:" field of the General tab in the User's Properties box.
  • The second place it will look is at the Login name in the "Accounts" tab, where the login name@domain is the email for the user.
  • Note that the email field between AD and JumpCloud must match explicitly for the user if modifications occur and it needs to be put back into alignment.

Temporarily Halting Active Directory Bridging

You can temporarily disable Active Directory bridge operation by clicking "Disable" in the Identity Sources tab for the Active Directory server you want to disable. This can be helpful when you're performing maintenance on an Active Directory server, and you don't want JumpCloud to create warnings that the server is unavailable.

Restarting the JumpCloud AD Bridge Agent

Should it ever become necessary, you can restart the JumpCloud bridge by opening the service manager (services.msc), finding "JumpCloud AD Bridge Agent", right clicking it, and selecting "Restart".


What do users experience?

  • As soon as a user is added to the security group named "JumpCloud" within Active Directory it will be synchronized to JumpCloud
  • Similar to when users are newly added to JumpCloud, as the user is added to the JumpCloud security group a "Welcome" email will be delivered to the email address of the identity.
  • All password changes for the user must be done on the Windows workstation or on a domain controller.  
  • Users will be unable to access any resources controlled by JumpCloud until they reset their password on their Windows workstation or on a domain controller.

What should domain administrators know?

  • Any user synchronized from Active Directory to JumpCloud should continue to be managed within Active Directory. They will be unmodifiable within JumpCloud when utilizing the Active Directory bridge. Active directory will act as the authoritative source of the identity and will propagate to JumpCloud.
  • Users synchronized to JumpCloud can be given authorization on any JumpCloud-managed systems or resources, and can also be synchronized from JumpCloud to Google Apps. This means that Active Directory synchronized users can be added to tags not sourced from Active Directory.
  • Disabling a user in Active Directory will delete the user account from JumpCloud (and eliminate all access to JumpCloud-managed systems or resources for that user, as a result).
  • Any Active Directory security groups added to the JumpCloud security group will be added as tags to JumpCloud, and any users within those security groups will be synchronized to JumpCloud, and will be associated with the same named tag in JumpCloud. This is also handled recursively, so a security group that contains other security groups will also be added to JumpCloud. The hierarchical structure of recursively-added security groups is flattened, though the access conferred by membership in those groups is retained. That is, a user in security group "admins", which itself is a member of "Finance", would appear in an "admins" and a "Finance" tag in JumpCloud.
  • User membership in Active Directory sourced tags cannot be altered in JumpCloud (it should be done from AD), though systems can be associated or dissociated within JumpCloud.
  • Active Directory Bridge users may not be bound to a system for account takeover (refer to Taking Over an Existing User Account with JumpCloud) if already managed.
  • Logging: The AD Bridge log can be found in c:\Windows\Temp\JumpCloud_AD_Integration.log
WARNING: If the username needs to change within AD, the AD Bridge will delete that user's account in JumpCloud, and re-create it with the new user name. This is because JumpCloud disallows username changes. That means that any users who go through a username change will need to be re-associated in any non-AD-sourced tags. It also means that if the user has added any public SSH keys to their user account within JumpCloud, those will be lost.

Last Updated: Apr 17, 2017 11:29AM MDT

Related Articles
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found